Permalink
Browse files

[mms] SECURITY: Fix obscure XSS issue if uploading a file in dynamic …

…view from the browser's local filesystem that has a filename that contains HTML.

This attack requires a filesystem that supports angled brackets in
filenames (Windows does NOT; Linux does). Essentially, a user has to
upload a malicious filename that they created on their own filesystem.

Conflicts:
	imp/docs/CHANGES
	imp/js/compose-dimp.js
	imp/package.xml
  • Loading branch information...
slusarz committed Oct 29, 2012
1 parent 9037dfa commit 1550c6ecd7204f9579fcbb09ec7089e01b0771e2
Showing with 7 additions and 4 deletions.
  1. +4 −2 imp/docs/CHANGES
  2. +1 −1 imp/js/compose-dimp.js
  3. +2 −1 imp/package.xml
View
@@ -207,8 +207,10 @@ v6.0.0alpha1
v5.0.24-git
-----------
-[mms] Catch failure to add attachments because PHP's maximum allowed POST size
- was exceeded.
+[mms] SECURITY: Fix obscure XSS issue if uploading a file in dynamic view from
+ the browser's local filesystem that has a filename that contains HTML.
+[mms] Catch failure to add attachments in dynamic view because PHP's maximum
+ allowed POST size was exceeded.
[jan] Fix search link from portal if using dynamic view (Bug #11314).
[mms] Fix regression in using Virtual Trash (Bug #11478;
tonyb@go-concepts.com).
View
@@ -800,7 +800,7 @@ var DimpCompose = {
var u = $('upload');
this.uniqueSubmit('addAttachment');
u.up().hide();
- $('upload_wait').update(DimpCore.text.uploading + ' (' + $F(u) + ')').show();
+ $('upload_wait').update(DimpCore.text.uploading + ' (' + $F(u).escapeHTML() + ')').show();
},
toggleCC: function(type)
View
@@ -2574,7 +2574,8 @@
<date>2012-07-20</date>
<license uri="http://www.horde.org/licenses/gpl">GPL-2.0</license>
<notes>
-* [mms] Catch failure to add attachments because PHP&apos;s maximum allowed POST size was exceeded.
+* [mms] SECURITY: Fix obscure XSS issue if uploading a file in dynamic view from the browser&apos;s local filesystem that has a filename that contains HTML.
+* [mms] Catch failure to add attachments in dynamic view because PHP&apos;s maximum allowed POST size was exceeded.
* [jan] Fix search link from portal if using dynamic view (Bug #11314).
* [mms] Fix regression in using Virtual Trash (Bug #11478; tonyb@go-concepts.com).
* [mms] Fix sending MDN notifications in traditional view (Bug #11311).

0 comments on commit 1550c6e

Please sign in to comment.